gozi_rm3 | 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547 | Triage

Sharing

General

Target

crypted_loader_dll_64Donat_5.dll
Size

151KB
Sample

220407-sbgd4aefeq
MD5

55ab2f304f8c2da30aeee7713a95064d
SHA1

aae939cf3995905399e427097fc90c5b62f3d4c3
SHA256

41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547
SHA512

08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Score

10^/10

gozi_rm3 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300994

rsa_pubkey.base64

rsa_pubkey.base64

rsa_pubkey.plain

Targets

- Target
  
  crypted_loader_dll_64Donat_5.dll
- Size
  
  151KB
- MD5
  
  55ab2f304f8c2da30aeee7713a95064d
- SHA1
  
  aae939cf3995905399e427097fc90c5b62f3d4c3
- SHA256
  
  41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547
- SHA512
  
  08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3
Score

10^/10

gozi_rm3 banker trojan
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

Exfiltration

Impact

Tasks

static1

behavioral1

gozi_rm3bankertrojan

behavioral2

gozi_rm3bankertrojan